Unwanted new desktop/user

mac77mac · Oct 12, 2008

I am running 2000 sp4. Comp has been running well until last few days. Mouse froze occasionally. Then today I logged on to my desktop, which appeared as if i was a new user. The comp has 2 regular users, both profiles are limited user level, the Admin. profile is only used for installation etc. never internet access. I found an extra user profile in Docs and Settings which has the same name as my profile but with the comp name appended (after . ) The new profile is not in Control Panel/Users. When I try to log in it always goes to the new profile, although the old one is still there. I ran PCtools antivirus full scan, Spybot S&D, Panda Active Scan, MS Live Online Scan and MS malware removal tool. I also have Comodo BOClean and Spyware Blaster installed. No scan found anything. I use a router with firewall and do all scans regularly and keep everything updated. I am baffled. I don't know whether this is a comp fault or malware. Your help would be most welcome.

TimW · Oct 13, 2008

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

If something does not run, write down the info to explain to us later but keep on going.

Do not assume that because one step does not work that they all will not.

READ & RUN ME FIRST. Malware Removal Guide

Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can running steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.

mac77mac · Oct 14, 2008

Ran scans requested here are the logs. No problems running any of them. Nothing found by Spybot S&D. Thanx. ATM

mac77mac · Oct 14, 2008

Part 2

TimW · Oct 14, 2008

Are you referring to this:
Mac.EGSS-7FMFHGTSYZ

If so, it means that a user profile got corrupt and this is the new user name for that profile....you can learn more in the software section. Basically you just need to delete the Mac user...then rename the Mac.EGSS-7FMFHGTSYZ as you cant have two user profiles with the same name.

We can now clean up from running the scans as your system is clean:

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-
Click to expand...

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

If you get a success message, then:

We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combofix folder from combofix (if it exists)

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Click to expand...

mac77mac · Oct 15, 2008

Yes, got a success message. Everything is working now. One odd thing happened, i had music files stored in C:\My Music, which i used for downloads. This is now empty. But machine is working fine (indeed fast!) so thank you very much for your help. Best wishes, Mac

TimW · Oct 15, 2008

You are quite welcome.....perhaps you should post in the software section for the missing music files......

Log in or Sign up

Unwanted new desktop/user

mac77mac Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

mac77mac Private E-2

Attached Files:

mbam-log-2008-10-14 (14-18-58).txt

SUPERAntiSpyware Scan Log - 10-14-2008 - 13-46-22.log

mac77mac Private E-2

Attached Files:

ComboFix.txt

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

mac77mac Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member